A highly sophisticated cyberattack has emerged in South Korea, marking the first documented case of state-sponsored actors abusing Google’s Find Hub service to remotely erase Android devices. This campaign demonstrates a dangerous evolution in Advanced Persistent Threat (APT) tactics, blending social engineering, credential theft, and legitimate security features for destructive purposes.
Who Is Behind the Attack?
Security researchers at Genians attribute this operation to the KONNI APT campaign, linked to North Korean groups Kimsuky and APT37, both operating under the 63 Research Center. These groups have a long history of espionage and cyber sabotage, but this attack introduces a new level of sophistication targeting mobile platforms.
Initial Compromise: Social Engineering at Scale
The attack began on September 5, 2025, when threat actors hijacked the KakaoTalk account of a South Korean psychological counselor who works with North Korean defector youth. Leveraging this trusted relationship, attackers distributed a malicious ZIP archive named “Stress Clear.zip” to the counselor’s contacts, turning victims into unwitting distribution channels.
Inside the archive was a Microsoft Installer (MSI) file disguised as a stress-relief program. When executed, it silently installed malware while displaying fake error messages about language pack compatibility, tricking users into believing the installation failed.
Persistence and Obfuscation Techniques
Once installed, the malware:
- Uses AutoIt scripts and Windows Task Scheduler for persistence.
- Places files in
C:\Users\Public\Musicto avoid detection. - Creates a scheduled task using a renamed copy of
schtasks.execalled hwpviewer.exe, masquerading as a legitimate document viewer. - Deletes original installation files to erase forensic traces.
The MSI package carried a fraudulent digital signature from “Chengdu Hechenyingjia Mining Partnership Enterprise” in China, adding legitimacy and bypassing initial security checks.
Command-and-Control Infrastructure
The malware communicates with servers in Germany:
- IP: 116.202.99.218
- Domain: bp-analytics.de
It downloads additional payloads including:
- RemcosRAT 7.0.4 Pro
- QuasarRAT
- RftRAT
These RATs enable:
- Webcam and microphone activation for physical surveillance.
- Keystroke logging and credential theft.
- System reconnaissance and remote control.
The Most Destructive Phase
After stealing Google account credentials, attackers gain access to Google Find Hub, a legitimate device management service designed to locate and protect lost Android devices. Using this access, they:
- Confirm victims are away from their devices via location queries.
- Issue remote factory reset commands, wiping all data from smartphones and tablets.
- Render devices temporarily unusable, disrupting communication and causing significant personal and operational damage.
This tactic represents a weaponization of legitimate security features, a trend that could redefine mobile threat landscapes.
Why This Attack Is Significant
- First known case of using Google Find Hub for destructive operations.
- Demonstrates tactical maturity in APT campaigns targeting mobile ecosystems.
- Combines social engineering, credential theft, and legitimate services for maximum impact.
Mitigation Strategies
- Avoid installing files from untrusted sources, even from familiar contacts.
- Enable multi-factor authentication (MFA) for Google accounts.
- Regularly monitor Google account activity and revoke suspicious sessions.
- Deploy endpoint protection capable of detecting AutoIt scripts and RATs.
